b'         U.S. ENVIRONMENTAL PROTECTION AGENCY\n         OFFICE OF INSPECTOR GENERAL\n\n\n\n                                        Catalyst for Improving the Environment\n\n\nQuick Reaction Report\n\n\n\n\n       Results of Technical Network\n       Vulnerability Assessment:\n       EPA\xe2\x80\x99s Andrew W. Breidenbach\n       Environmental Research Center\n       Report No. 10-P-0210\n\n       September 7, 2010\n\x0cReport Contributors:   Rudolph M. Brevard\n                       Charles Dade\n                       Cheryl Reid\n                       Michael Goode, Jr.\n                       Vincent Campbell\n\x0c                       U.S. Environmental Protection Agency \t                                              10-P-0210\n                                                                                                    September 7, 2010\n                       Office of Inspector General\n\n\n                       At a Glance\n                                                                           Catalyst for Improving the Environment\n\n\nWhy We Did This Review           Results of Technical Network Vulnerability\nAs part of the annual audit of\n                                 Assessment: EPA\xe2\x80\x99s Andrew W. Breidenbach\nthe U.S. Environmental           Environmental Research Center\nProtection Agency\xe2\x80\x99s (EPA\xe2\x80\x99s)\ncompliance with the Federal       What We Found\nInformation Security\nManagement Act, the Office       Vulnerability testing of EPA\xe2\x80\x99s Andrew W. Breidenbach Environmental Research\nof Inspector General (OIG)       Center network conducted in June 2010 identified Internet Protocol addresses with\nconducted network                numerous high-risk and medium-risk vulnerabilities. The OIG met with EPA\nvulnerability testing of the     information security personnel to discuss the findings. If not resolved, these\nAgency\xe2\x80\x99s network devices in      vulnerabilities could expose EPA\xe2\x80\x99s assets to unauthorized access and potentially\nEPA\xe2\x80\x99s Andrew W.                  harm the Agency\xe2\x80\x99s network.\nBreidenbach Environmental\nResearch Center building\nlocated in Cincinnati, Ohio.      What We Recommend\n\nBackground                       We recommend that the Senior Information Official, Office of Research and\n                                 Development; Director, Enterprise Desktop Solutions Division, Office of\nNetwork vulnerability testing    Environmental Information; and Director, Information Resources Management\nwas conducted to identify any    Division \xe2\x80\x93 Cincinnati, Office of Administration and Resources Management:\nnetwork risk vulnerabilities\nand to present the results to    \xe2\x80\xa2\t Provide the OIG a status update for all identified high-risk and medium-risk\nthe appropriate EPA officials,      vulnerability findings contained in this report.\nwho can then promptly            \xe2\x80\xa2\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security\nremediate or document               Self-Evaluation and Remediation Tracking system for all vulnerabilities that\nplanned actions to resolve the      cannot be corrected within 30 days of this report.\nvulnerability.                   \xe2\x80\xa2\t Perform a technical vulnerability assessment test of assigned network\n                                    resources within 60 days to confirm completion of remediation activities.\n\nFor further information,         Due to the sensitive nature of the report\xe2\x80\x99s technical findings, the attachments are\ncontact our Office of            not available to the public.\nCongressional, Public Affairs\nand Management at\n(202) 566-2391.\n\nTo view the full report,\nclick on the following link:\nwww.epa.gov/oig/reports/2010/\n20100907-10-P-0210.pdf\n\x0c                          UNITED STATES ENVIRONMENTAL PROTECTION AGENCY\n                                       WASHINGTON, D.C. 20460\n\n\n                                                                                              THE INSPECTOR GENERAL\n\n\n\n\n                                               September 7, 2010\n\nMEMORANDUM\n\nSUBJECT:\t                  Results of Technical Network Vulnerability Assessment:\n                           EPA\xe2\x80\x99s Andrew W. Breidenbach Environmental Research Center\n                           Report No. 10-P-0210\n\n\nFROM:                      Arthur A. Elkins, Jr.\n                           Inspector General\n\nTO:\t                       Jack Puzak\n                           Senior Information Official, Office of Research and Development\n\n                           Johnny Davis, Jr.\n                           Director, Enterprise Desktop Solutions Division\n                           Office of Environmental Information\n\n                           Aundair Kinney\n                           Director, Information Resources Management Division \xe2\x80\x93 Cincinnati\n                           Office of Administration and Resources Management\n\n\nAttached is the final technical network vulnerability assessment report prepared by the Office of\nInspector General (OIG) of the U.S. Environmental Protection Agency (EPA).1. The site\nassessment was conducted in conjunction with the Fiscal Year 2010 Federal Information\nSecurity Management Act audit. Vulnerability testing of EPA\xe2\x80\x99s Andrew W. Breidenbach\nEnvironmental Research Center network conducted in June 2010 identified Internet Protocol\naddresses with numerous high-risk and medium-risk vulnerabilities.\n\nWe performed this audit from May through August 2010 at EPA\xe2\x80\x99s Andrew W. Breidenbach\nEnvironmental Research Center building in Cincinnati, Ohio. We performed this audit in\naccordance with generally accepted government auditing standards. These standards require that\nwe plan and perform the audit to obtain sufficient and appropriate evidence to provide a\n\n\n1\n A vulnerability assessment is the process of identifying, quantifying, and prioritizing (or ranking) the\nvulnerabilities in a tested information system. A vulnerability assessment does not include a penetration test which\nwould attempt to use the identified vulnerabilities to gain further access into the tested information system.\n\n\n                                                          1\n\n\x0c                                                                                         10-P-0210 \n\n\n\nreasonable basis for our findings and conclusions based on the audit objectives. We believe the\nevidence obtained provides a reasonable basis for our findings and conclusions.\n\nWe conducted testing to identify the existence of commonly known vulnerabilities using a\ncommercially available network vulnerability assessment tool recognized by the National\nInstitute of Standards and Technology. We tested all Internet Protocol addresses provided by\nAgency representatives and identified as being associated with network resources controlled by\nyour offices. We used the risk ratings provided by the vulnerability software to determine the\nlevel of harm a vulnerability could cause to a network resource. We accepted the results from\nthe software tool. The vulnerabilities identified by the software are disclosed in the attachments.\nThe estimated cost for performing this test and compiling this report is $11,084.\n\nRecommendations\n\nWe recommend that the Senior Information Official, Office of Research and Development;\nDirector, Enterprise Desktop Solutions Division, Office of Environmental Information; and\nDirector, Information Resources Management Division \xe2\x80\x93 Cincinnati, Office of Administration\nand Resources Management:\n\n   1.\t Provide the OIG a status update for all identified high-risk and medium-risk vulnerability\n       findings contained in this report.\n\n   2.\t Create plans of action and milestones in the Agency\xe2\x80\x99s Automated Security Self-\n\n       Evaluation and Remediation Tracking system for all vulnerabilities that cannot be \n\n       corrected within 30 days of this report. \n\n\n   3.\t Perform a technical vulnerability assessment test of assigned network resources within\n       60 days to confirm completion of remediation activities.\n\nAction Required\n\nIn accordance with EPA Manual 2750, you are required to provide a written response to this\nreport within 30 calendar days. You should include a corrective actions plan for agreed-upon\nactions, including milestone dates.\n\nDue to the sensitive nature of the report\xe2\x80\x99s technical findings, the full report will not be made\navailable to the public. However, the OIG plans to publish the unrestricted version of this report,\nyour response, and any corrective action plans on OIG\xe2\x80\x99s Website, which is available to the\npublic. Therefore, we request that you provide your response to Recommendation 1 in a separate\ndocument.\n\nIf you or your staff have any questions regarding this report, please contact Rudy Brevard at\n(202) 566-0893 or brevard.rudy@epa.gov.\n\n\n\n\n                                                 2\n\n\x0c                                                                                                                                           10-P-0210\n\n\n\n                                 Status of Recommendations and\n                                   Potential Monetary Benefits\n\n                                                                                                                                 POTENTIAL MONETARY\n                                                    RECOMMENDATIONS                                                               BENEFITS (in $000s)\n\n                                                                                                                     Planned\n    Rec.    Page                                                                                                    Completion   Claimed    Agreed To\n    No.      No.                          Subject                          Status1         Action Official             Date      Amount      Amount\n\n     1        2     Provide the OIG a status update for all identified       U       Senior Information Official,\n                    high-risk and medium-risk vulnerability findings                  Office of Research and\n                    contained in this report.                                              Development;\n                                                                                     Director, Enterprise Desktop\n                                                                                          Solutions Division,\n                                                                                       Office of Environmental\n                                                                                              Information;\n                                                                                                  and\n                                                                                         Director, Information\n                                                                                       Resources Management\n                                                                                         Division \xe2\x80\x93 Cincinnati,\n                                                                                     Office of Administration and\n                                                                                       Resources Management\n     2        2     Create plans of action and milestones in the             U       Senior Information Official,\n                    Agency\xe2\x80\x99s Automated Security Self-Evaluation and                   Office of Research and\n                    Remediation Tracking system for all vulnerabilities                    Development;\n                    that cannot be corrected within 30 days of this                  Director, Enterprise Desktop\n                    report.                                                               Solutions Division,\n                                                                                       Office of Environmental\n                                                                                              Information;\n                                                                                                  and\n                                                                                         Director, Information\n                                                                                       Resources Management\n                                                                                         Division \xe2\x80\x93 Cincinnati,\n                                                                                     Office of Administration and\n                                                                                       Resources Management\n     3        2     Perform a technical vulnerability assessment test of     U       Senior Information Official,\n                    assigned network resources within 60 days to                      Office of Research and\n                    confirm completion of remediation activities.                          Development;\n                                                                                     Director, Enterprise Desktop\n                                                                                          Solutions Division,\n                                                                                       Office of Environmental\n                                                                                              Information;\n                                                                                                  and\n                                                                                         Director, Information\n                                                                                      Resources Management\n                                                                                         Division \xe2\x80\x93 Cincinnati,\n                                                                                     Office of Administration and\n                                                                                      Resources Management\n\n\n\n\n1    O = recommendation is open with agreed-to corrective actions pending\n     C = recommendation is closed with all agreed-to actions completed\n     U = recommendation is undecided with resolution efforts in progress\n\n\n\n\n                                                                                 3\n\n\x0c                                                                                      10-P-0210\n\n\n                                                                                  Appendix A\n\n                                       Distribution\n\nOffice of the Administrator\nAssistant Administrator for Research and Development\nAssistant Administrator for Environmental Information and Chief Information Officer\nAssistant Administrator for Administration and Resources Management\nActing Senior Agency Information Security Officer\nActing Director, Technology and Information Security Staff\nSenior Information Official, Office of Research and Development\nDirector, Enterprise Desktop Solutions Division, Office of Environmental Information\nDirector, Information Resources Management Division \xe2\x80\x93 Cincinnati, Office of Administration and\n  Resources Management\nAgency Follow-up Official (the CFO)\nAgency Follow-up Coordinator\nGeneral Counsel\nAssociate Administrator for Congressional and Intergovernmental Relations\nAssociate Administrator for External Affairs and Environmental Education\nAudit Follow-up Coordinator, Office of Environmental Information\nAudit Follow-up Coordinator, Office of Research and Development\nAudit Follow-up Coordinator, Office of Administration and Resources Management\nInspector General\n\n\n\n\n                                                4\n\n\x0c'